Skip to main content

Illumio Core for Kubernetes

Map Kubernetes Node Labels to Illumio Labels

Label mapping is a method of mapping some or all existing Kubernetes node labels to Illumio labels. Label maps are a new way to assign Illumio labels to container host workloads in addition to existing methods (such as with container workload profiles and pairing profiles). Labels assigned through label maps take precedence over these other methods -- that is, they overwrite any labels assigned with these other methods.

A label map is defined by a Kubernetes Custom Resource Definition (CRD) within a yaml file that is typically installed via a Helm Chart. Installing the Helm Chart then applies the defined labels.

Label Mapping CRD

The CRD is defined in the yaml file with a kind: LabelMap declaration, which in turn contains a nodeLabelMap section that applies to nodes (host workloads).

Within the nodeLabelMap section, Illumio label types are mapped with fromKey and toKey key-value pairs, where the fromKey value specifies a source Kubernetes label, and the toKey value paired with it defines the destination Illumio label type.

If an optional allowCreate: true is within a fromKey and toKey pair, the Illumio label type defined in that mapping is created if it does not already exist on the PCE.

An optional valuesMap: within a fromKey and toKey pair specifies one or more label value mappings for that label type, with from: value identifying the source Kubernetes label and the to: value following it specifying the destination Illumio label value. If no valuesMap: is specified, then label values for the mapped label type are not changed. Only the label type is changed in the PCE.

Example Label Map

Note these points about the following example label map:

  • The first nodeLabelMap item creates a new Illumio location label of Amazon (if it does not exist, per the allowCreate: true declaration) and maps this label to all nodes with the Kubernetes label topology.kubernetes.io/region with either value of eu-west-1 or eu-west-2.

  • With the second item under nodeLabelMap, for every node-type Kubernetes label, the map creates Illumio k8s-node labels with values based on the existing Kubernetes label values (because there is no associated valuesMap mapping definition).

kind: LabelMap
apiVersion: ic4k.illumio.com/v1alpha1
metadata:
  name: default
nodeLabelMap:
  - allowCreate: true
    fromKey: topology.kubernetes.io/region
    toKey: loc
    valuesMap:
      - from: eu-west-1
        to: Amazon
      - from: eu-west-2
        to: Amazon
- allowCreate: true
  fromKey: node-type
  toKey: k8s-node

The label type has to be created and exist in PCE first before new labels can be created through label mapping.